MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d50cf1f78a7c3342e9ec594a31c0754f08dfc4db408641428a8d32d1db6c887d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d50cf1f78a7c3342e9ec594a31c0754f08dfc4db408641428a8d32d1db6c887d
SHA3-384 hash: a99efa66f86b025df69c798dcd823908e015958cbc2b3b16ea9c71e5ec475ffd75adbaeba731075721c5609e4de0340f
SHA1 hash: 97cafcb7a26e51f5112e0f9533986a8a5635c144
MD5 hash: dcd4073388ad347850c0337e08cbe388
humanhash: hamper-texas-august-oranges
File name:ALMV_launcher.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'454'080 bytes
First seen:2023-05-07 08:54:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 245662a6e5a425a1168d9f9efa96f9aa (2 x RedLineStealer)
ssdeep 12288:mWs6w3Wg86ajj2i3mqv8nWfnoKc/PCNy:uva+qv8nWfnotXCN
Threatray 480 similar samples on MalwareBazaar
TLSH T14165B04C618080EEC8A6197D0864CEF9C769BD20571785F72BEC8C6B7B15E8E19EF097
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon a071d4aaecec6a41 (4 x RedLineStealer)
Reporter iamdeadlyz
Tags:37-220-87-78 exe FakeKOTA RedLineStealer


Avatar
Iamdeadlyz
From almv.cool (impersonation of kidsoftheapocalypse.com)
De-pump of 6cb3ae709c9e8f42e7f4f856812d655c1ef4411149e34ddc1e65d9c677407442
RedLineStealer C&C: 37.220.87.78:25387

Intelligence

File Origin
# of uploads :
1
# of downloads :
278
Origin country :
SG SG
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
ALMV_launcher.exe
Verdict:
Malicious activity
Analysis date:
2023-05-07 08:55:43 UTC
Tags:
rat redline
Link:
https://app.any.run/tasks/7e18951d-374e-4f61-a1f4-be8226eafa7e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/387263/
Detection(s):
SecuriteInfo.com.Variant.Lazy.338852.15444.26239.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a window
Reading critical registry keys
Creating a file
Stealing user critical data
Sending a TCP request to an infection source
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/82915/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/64576767c2315c7ec20e42cc/reports/fc07b409-8471-4de2-8c19-ec84ae6d723b/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/d50cf1f78a7c3342e9ec594a31c0754f08dfc4db408641428a8d32d1db6c887d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9cb19c2a-d8a0-4ba5-917c-397666b3c6d5
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1227713
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d50cf1f78a7c3342e9ec594a31c0754f08dfc4db408641428a8d32d1db6c887d/
Threat name:
Win32.Spyware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-05-07 08:55:08 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
16 of 24 (66.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ugpd54kpqzuf2pmlffddqdvj4en7rg3icdecqukruzndw3mrb6q._file
Verdict:
malicious
Similar samples:
2f5d54b041e6a8c3bffdb19bed589c840c5d6cfc9cb38f660af6248a15823bd0
RedLineStealer
328d4440dbd18cec4f9d204831beb8cac463d4faa25a127925b77e162688f4d3
RedLineStealer
3efa410200f86cb87e8ddd8d0e51ace698d53c1b1282932e5ac85fddd002c93b
RedLineStealer
45c2ed896f4323dff0b5959f51e2c4df36f6e3329d95943858375e01cfd97b81
RedLineStealer
46434ace2dbf0d23316b3f3332ad004961805c3c9d0b1a784868aee16278afac
RedLineStealer
4b892b3b3a3e8defd0584162880c9665bb072dd1ff2dc4da8ce38cedc6416129
RedLineStealer
662d133538baeefd71ff67d181340530345d1262236845b9cc5d4ec8d6dc1ae4
RedLineStealer
9fb7c1285a5e3bdf3aeb2f9c29a608ed8bd30f8c6321969b531194fd06cb5014
RedLineStealer
be9699ddb8ef8ff9e1fffc01543472334e84ace9eade7a09d8a011ff597e1eb9
RedLineStealer
c6ade3c9c649d486c3b2e7df7919bbee564dc56fa23950d455f8023d9013ba84
RedLineStealer
+ 470 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
spyware
Link:
https://tria.ge/reports/230507-kvfmxacf67/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Unpacked files
SH256 hash:
30eb5fcbd565c373d9c287747e795fbbebfa71154e6ac8ca6f019095ef96e7b3
MD5 hash:
fb4cad76bf25bf0626a6afc182b317a6
SHA1 hash:
bc0766bd448a841886ad8821992d3658546eedc3
Link:
https://www.unpac.me/results/44c8591a-616d-4c1c-a120-2aebfcd58226/
SH256 hash:
d50cf1f78a7c3342e9ec594a31c0754f08dfc4db408641428a8d32d1db6c887d
MD5 hash:
dcd4073388ad347850c0337e08cbe388
SHA1 hash:
97cafcb7a26e51f5112e0f9533986a8a5635c144
Link:
https://www.unpac.me/results/44c8591a-616d-4c1c-a120-2aebfcd58226/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d50cf1f78a7c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d50cf1f78a7c3342e9ec594a31c0754f08dfc4db408641428a8d32d1db6c887d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

rar ba16f006ef5a5dcc9626b13c5a98b8fe9cfdb4278f45c3e27fb9925a11477632

RedLineStealer

Executable exe d50cf1f78a7c3342e9ec594a31c0754f08dfc4db408641428a8d32d1db6c887d

(this sample)

  
Dropped by
SHA256 ba16f006ef5a5dcc9626b13c5a98b8fe9cfdb4278f45c3e27fb9925a11477632
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/387263/
  
URLhaus
https://urlhaus.abuse.ch/url/2626433/
  
Dropped by
MD5 505afffb3ea723cbdf3e690cfce136a8

Comments